Date: Wed, 23 Jun 2010 19:15:33 -0400 From: "Eric W. Bates" <ericx@ericx.net> To: ralf@dzie-ciuch.pl Cc: freebsd-net@freebsd.org Subject: Re: vpn trouble Message-ID: <4C229595.20902@ericx.net> In-Reply-To: <655d7279cefc01b3fbe0016c598fcd72@ewipo.pl> References: <87260c422232fa7409a4b374341dd106@ewipo.pl> <20100622143543.GA72020@zeninc.net> <c5781e9db1e6339b5b23c0c403c68d9a@ewipo.pl> <20100622153541.GA72211@zeninc.net> <6caa9895ae1710b9f48a227116a4340c@ewipo.pl> <20100622190819.270aaa74@gda-arsenic> <4f378cfb416582c3081377ba714e508a@ewipo.pl> <20100622201130.5824d585@gda-arsenic> <20100622182242.GU2620@verio.net> <4C210B0F.6060203@ericx.net> <655d7279cefc01b3fbe0016c598fcd72@ewipo.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/22/2010 3:55 PM, ralf@dzie-ciuch.pl wrote: >> >> I managed to do an IP in IP tunnel with IPsec encryption between a >> FreeBSD and a cisco router running 12.1(mumble) several years ago. >> >> It is a desirable option if you want to use routing (e.g. ospf). You >> can't route an IPSec tunnel (actually, is this now possible with enc0 >> interfaces?) but you can route to the gif interfaces. >> > > Can you tell me how to use route command to use it like above? I have to admit that I no longer have access to that client's machines. However, I can describe in broad strokes. In our case the need was to provide a backup route for a dedicated T1. Occasionally the T1 would fail; so we wanted an alternate route thru the internet. The internet path had to be encrypted; but it was much slower; so we wanted the T1 to have priority. The router terminating the T1 was separate from the router providing general internet access. This was between a hospital and a service provider. A lot of this could be simplified except that the vendor HAD to provide the server, the circuit, and the router (those of you who support banks or hospitals know what I'm talking about.) There is already a static route in place for the provider via the T1 router. We first built a simple IPencap tunnel between our FreeBSD box and their cisco. The FreeBSD side used a gif and the cisco side used a tunnel interface. We confirmed that we could ping end-points. Then we added the ospf to the mix in order to detect when the T1 dropped. We weighted the ospf so that the T1 was prioritized. Once that was working we added the IPSec as transport between the endpoints of the IpinIP tunnel rather than encapsulation. That was the only time I've built an IPSec tunnel with that method. Folks with better understanding than I can perhaps explain the pros and cons. In our case, it was a simple expedient to support ospf. I have noticed since then that OS X's GUI only supports this method of IPSec tunneling; so I'm going to have to do it again to support some other customers. Some parts on the cisco side might appear thusly (I'm doing this from memory so ymmv): interface FastEthernet0.2 description VLAN 500 to Comcast router encapsulation dot1Q 500 ip address x.x.x.x 255.255.255.252 The encryption part: crypto isakmp policy 10 encr 3des hash sha1 authentication pre-share group 2 crypto isakmp key foobar-key address 0.0.0.0 0.0.0.0 crypto ipsec transform-set PROVIDER-SET esp-3des esp-sha-hmac ! crypto ipsec profile PROVIDER-PROF set transform-set PROVIDER-SET The tunnel part: interface tunnel0 description IPnIP tunnel thru comcast to PROVIDER ip address 192.168.254.3 255.255.255.252 ip ospf mtu-ignore tunnel source x.x.x.25 tunnel destination y.y.y.y tunnel mode ipsec ipv4 tunnel protection ipsec profile PROVIDER-PROF The OSPF part: router ospf 10101 log-adjacency-changes redistribute connected subnets redistribute static subnets passive interface FastEthernet0/0 passive interface FastEthernet0/0.1 passive interface FastEthernet0/0.2 network 128.1.0.0 0.0.255.255 area 0 network 192.168.8.0 0.0.3.255 area 0 network 192.168.254.0 0.0.0.3 area 0 The static route part: ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip route 192.168.8.0 255.255.252.0 10.21.1.2 ip route 192.168.20.0 255.255.255.0 10.21.1.2 ip route y.y.y.y 255.255.255.255 x.x.x.26 ! the last route is just to make sure the tunnel uses Comcast
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C229595.20902>